Linux Malware Detect (LMD), also known as Maldet, is a malware scanner for Linux released under the GNU GPLv2 license. It is particularly effective for the detection of php backdoors, darkmailers and many other malicious files that can be uploaded on a compromised website. It will help you do detect infected websites and clean the infection, however securing the compromised user or website is still necessary to avoid re-infection.
If the server has cPanel , we recommend you install ClamAV first, as maldet will use the ClamAV scan engine. ClamAV installation instructions are available here.
You will need to be logged in as root to the server over SSH.
1 - Install maldet
cd /usr/local/src/ && wget http://www.rfxn.com/downloads/maldetect-current.tar.gz && tar -xzvf maldetect-current.tar.gz && cd maldetect-* && sh install.sh
This will automatically install a cronjob inside /etc/cron.daily/maldet so a daily scan will be run for local cPanel or Plesk accounts.
2 - Make sure to update to the latest version and virus signatures:
maldet -d && maldet -u
3 - Run the first scan manually
To scan a specific user's home directory, run the following command:
maldet -a /home/user
To launch a background scan for all user's public_html and public_ftp in all home directories, run the following command:
maldet -b --scan-all /home?/?/public_?
(We also recommend you to scan /tmp and /dev/shm/)
4 - Verify the scan report
We recommend you to always read the scan reports before doing a quarantine. You will also be able to identify infected websites for further actions.
List all scan reports time and SCANID:
maldet --report list
Show a specific report details :
maldet --report SCANID
Â
Show all scan details from log file:
grep "{scan}" /usr/local/maldetect/event_log
Â
5 - Clean the malicious files
By default the quarantine is disabled. You will have to launch it manually.
maldet -q SCANID
6 - (optional) Automatically quarantine detected malware
Please review these configuration variables in /usr/local/maldetect/conf.maldet
variable    value    description
quar_hits    number    if the number is different than 0, enables automatic quarantine
7- (optional) Configure scan reports e-mail alerts
Maldet can send you and email alert each time it detects malware. Please review these configuration variables in /usr/local/maldetect/conf.maldet
variable    value    description
email_alert    1 or 0    enable or disable e-mail alerts
email_addr    e-mail address    target e-mail for notifications, should be put in quotes like: "myuser@mydomain.com"
More information is available: /usr/local/maldetect/conf.maldet or https://www.rfxn.com/projects/linux-malware-detect/
Â
Â
Running full malware scan user home directories
First i suggest full scan user home directories to detect and clean malware:
The Bellow command will scan all files and directories within the /home directory, which is where the content for cPanel accounts is stored.
# maldet -a /home/? |
Later you can only scan example all .php files. Command Below:
#maldet --include-regex ".*.php$" -a /home/?/public_html |
Below is a sample output of what you should see:
root@server [~] # maldet -a /home/? |
Linux Malware Detect v1.5.0 |
            (C) 2002-2013, R-fx Networks <proj@r-fx.org> |
            (C) 2013, Ryan MacDonald <ryan@r-fx.org> |
inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern. id .au> |
This program may be freely redistributed under the terms of the GNU GPL v2 |
 |
maldet(15196): {scan} signatures loaded: 10727 (8823 MD5 / 1904 HEX) |
maldet(15196): {scan} building file list for /home/*, this might take awhile... |
maldet(15196): {scan} file list completed, found 1124974 files... |
maldet(15196): {scan} found ClamAV clamscan binary, using as scanner engine... |
maldet(15196): {scan} scan of /home/* (1124974 files) in progress... |
 |
maldet(15196): {scan} scan completed on /home/*: files 1124974, malware hits 0, cleaned hits 0 |
maldet(15196): {scan} scan report saved, to view run: maldet --report 013344-1347.5196 |
root@server [~] # |